RECTIFIED DIFFERENTIAL CRYPTANALYSIS OF 16 ROUND PRESENT
|
|
- Leon Sutton
- 5 years ago
- Views:
Transcription
1 RECTIFIED DIFFERENTIAL CRYPTANALYSIS OF 16 ROUND PRESENT Manoj Kumar 1, Pratibha Yadav, Meena Kumari SAG, DRDO, Metcalfe House, Delhi , India 1 ABSTRACT In this paper, we have suggested rectifications in differential cryptanalysis of ultra-lightweight block cipher PRESENT reduced to 16 rounds. We have shown that proposed differential attack by Wang [3] on 16 round PRESENT can recover at the most 30 subkey bits, although the author has claimed to recover 32 bits of subkey for last two rounds. We have also computed data complexity and success probability for recovering 30 subkey bits accordingly by the differential attack on 16 round PRESENT. KEYWORDS Lightweight block cipher, differential cryptanalysis, PRESENT 1. INTRODUCTION PRESENT [1] is an ultra-lightweight block cipher, proposed by A.Bogdanov et al. in CHES 2007 for extremely constrained environments such as RFID tags and sensor networks. Differential attack [2] against 16 round PRESENT was given by Wang [3] using 2 64 chosen plaintexts, bit counters and 2 64 memory accesses and it was claimed to recover 32 subkey bits by differential attack on 16 round PRESENT. In this paper, we have shown that 32 subkey bits of reduced round PRESENT cannot be recovered by this attack [4]. We have also shown that we can recover at the most 30 subkey bits by the differential attack on PRESENT reduced to 16 rounds. The rest of the paper is organized as follows: Section 2 gives a brief description of PRESENT. In section 3, differential attack on 16-round PRESENT given by Wang is discussed. In section 4, flaws in differential attack on PRESENT are analyzed and rectification for these flaws [4] is suggested. Section 5 concludes the paper. 2. DESCRIPTION OF PRESENT PRESENT [1] is a symmetric key ultra-lightweight block cipher. It takes plaintext block of length 64 bits and produces ciphertext block of 64 bits. It consists of total 31 rounds. Based on the length of the key there are two variants of PRESENT, denoted by PRESEST-80 and PRESENT-128 with key of length 80 bits and 128 bits respectively. Brief description of the encryption process and the key schedule for PRESENT-80 is given below. 2.1 The Encryption Process Each round of the PRESENT [1] has three layers of operations. The first layer of operations is addroundkey described as follows: b b k j j where b j, 0 j 63 is the current state and k i,j 1 i 32, 0 j 63 is the j th subkey bit of round key K i. DOI: /ijcis i, j
2 The second layer of operations is sboxlayer. PRESENT uses only one S-box S (Table 1) of length 4-bit which is applied 16 times in parallel in each round. Table 1: S-box x A B C D E F S[x] C 5 6 B 9 0 A D 3 E F The third layer of operations is player, the player is a bit permutation layer, in which bit i of a stage is moved to bit position P(i) according to the following rule: P(i) = i*16(mod 63), 1 i 62 and P(i) = i, for i= 0 & i = 63 We omit the key schedule algorithm of PRESENT as it is not used in our analysis. Interested readers can refer to [1] for details. 3. Differential Cryptanalysis of Reduced Round PRESENT [3] Differential cryptanalysis for recovering 32 subkey bits of 16 round PRESENT-80 by using round differential characteristics of probability 2-62 is given by Wang. 3.1 Difference pairs for S-box The difference distribution table (Table 2) for the S-box of PRESENT is given below, in which rows and columns represent X and Y value (in hexadecimal) respectively. Each element of the table represents the number of occurrences of the corresponding output difference Y given the input difference X, besides the special case of both input and output values being 0, the largest value in the table is 4. The smallest value in the table is 0 and occurs for many difference pairs. From table 2, we see that the maximum differential probability is 2-2. Table 2: Difference distribution table of S-box A B C D E F A B C D E F
3 3.2 Differential Characteristics [3] 24 differential characteristics for PRESENT are given by Wang [3] with the probability of each characteristic as Out of the 24 differential characteristics, 20 differential characteristics have different input differences but the same output difference and 4 pairs of differential characteristics have same input difference but different difference from the output of round 2 to the input of round 8. All the characteristics have the same difference after 8 th round. All of the 24 differential characteristics have 2 active S-boxes located in the position 0,1,2,12,13 and 14, so the S-boxes in position from 3 to 11 and 15 are all non-active. According to the output difference of differential characteristics for 14-round, there are two active S-boxes in round 15 which are x 0 and x 8, whose input difference is 9 and output differences will be 2, 4, 6, 8, 12 or 14. The least significant bit of all the possible output differences is zero; therefore at most 6 bits are non zero for the output difference of S-boxes in round 15. After player of round 15, the maximum number of active S- boxes for round 16 is 6 and minimum number of active S-boxes is 2 (E -mail communication: Wang, 2009). Considering 6 S-boxes in round 16 namely x 4, x 6, x 8, x 10, x 12 and x 14, Wang claimed to recover 24 bits of round subkey K 17 namely k 17,4, k 17,20, k 17,36, k 17,52, k 17,6, k 17,22, k 17,38, k 17,54, k 17,8, k 17,24, k 17,40, k 17,56, k 17,10, k 17,26, k 17,42, k 17,58, k 17,12, k 17,28, k 17,44, k 17,60, k 17,14, k 17,30, k 17,46, k 17,62 and 8 bits of round subkey K 16 namely k 16,0, k 16,8, k 16,16, k 16,24, k 16,32, k 16,40, k 16,48, k 16,56. The author has claimed to recover total 32 subkey bits. For getting right pairs for differential cryptanalysis, we xor bits of ciphertext pairs corresponding to non-active S-boxes namely x 0, x 1, x 2, x 3, x 5, x 7, x 9, x 11, x 13, x 15 and this sum should be zero for right pairs. After getting right pairs, bits of right pairs corresponding to active S-boxes in the last two rounds will be decrypted from 16 th round to 14 th round. 24 bits of round subkey K 17 and 8 bits of round subkey K 16 will be involved during decryption from round 16 to round RECTIFIED DIFFERENTIAL CRYPTANALYSIS We found that 32 subkey bits as claimed by Wang cannot be recovered by this attack. One can recover 24 bits of round subkey K 17 and 6 bits of round subkey K 16. Therefore at the most 30 subkey bits can be recovered by the proposed differential attack on 16 round PRESENT. This is shown graphically below in figure Flaws identified in Differential Cryptanalysis [4] In round 16, 24 ciphertext bits corresponding to 24 bits of round subkey K 17 are extracted for right pairs and x-ored with all possible values of 24 bits of round subkey K 17. After applying inverse player, the intermediate 24 bits namely C 16, C 17, C 18, C 19, C 24, C 25, C 26, C 27, C 32, C 33, C 34, C 35, C 40, C 41, C 42, C 43, C 48, C 49, C 50, C 51, C 56, C 57, C 58, C 59, will be passed through inverse S-box. In round 15, we are able to extract only 6 bits corresponding to 6 bits of round subkey K 16 from 24 bits of previous round. Extract these 6 ciphertext bits and xor these bits with all possible values of 6 bits of round subkey K 16. After applying inverse player, only 6 intermediate ciphertext bits namely C' 1, C' 2, C' 3, C' 33, C' 34, C' 35 are left to pass through inverse S-box. But in practice, we need 4 bits to pass through one S-box, as PRESENT uses one 4x4 S-box, which take 4 bits as input and produces 4 bits as output. These 6 bits cannot be grouped together to pass through inverse S-box. 33
4 Figure 1: Flaws in differential attack on 16 round PRESENT [4] K 16 k 56 k 48 k 40 k 32 k 24 k 16 k 8 k 0 K 17 k 62 k 60 k 58 k 56 k 54 k 52 k 46 k 44 k 42 k 40 k 38 k 36 k 30 k 28 k 26 k 24 k 22 k 20 k 14 k 12 k 10 k 8 k 6 k 4 Therefore we need bits at position C' 0 and C' 36 to complete the 4 bits set to pass through inverse S- box. For getting these two bits, either we need to decrypt additional 8 bits from 16 th round or we should be able to extract 8 intermediate ciphertext bits form 15 th round. But this is not possible due to output difference of difference distribution table for S-box in 15 th round and the possible outputs of 15 th round for input difference 1001 are all even with at the most 6 non zero bits, which leads to only 6 active S-boxes in 16 th round though we require 8 active S-boxes here. 4.2 Rectification in Differential Cryptanalysis For recovering 30 subkey bits, decrypt the ciphertext from round 16 to round 14. In round 16, extract 24 bits of ciphertext corresponding to 24 bits of round subkey K 17 namely k 17,4, k 17,20, k 17,36, k 17,52, k 17,6, k 17,22, k 17,38, k 17,54, k 17,8, k 17,24, k 17,40, k 17,56, k 17,10, k 17,26, k 17,42, k 17,58, k 17,12, k 17,28, k 17,44, k 17,60, k 17,14, k 17,30, k 17,46, k 17,62 and x-or these with all possible values of 24 subkey bits, and then apply inverse permutation layer and inverse S-box. After that extract 6 intermediate ciphertext bits in 15 th round corresponding to 6 bits of round subkey K 16 namely k 16,16, k 16,24, k 16,32, k 16,40, k 16,48, k 16,56 and x-or these with all possible values of 6 subkey bits and then apply inverse permutation layer. Now for each intermediate ciphertext pair, assume all 4 possible values 34
5 of additional two bits to complete set of 4 bits to pass through inverse S-box. After that apply inverse S-box and find out x-or of the two decrypted pairs and check whether it is the same x-or as suggested by the characteristics. If it is the same x-or value then increase the counter of the corresponding key value by 1 and the key giving the desired x-or value maximum number of times will be our correct values for the 30 subkey bits. 4.3 Computational Complexity As given by Wang [2], 2 40 structures (of 2 24 chosen plaintext each) are required in this attack possible values can be taken as inputs to 10 non-active S-boxes in each structure and the inputs to any two active S-boxes in each structure characteristic among the six S-boxes have 2 24 possible values. The number of pairs for each possible characteristic is 2 40 *2 16 *2 7 =2 63. The number of pairs satisfying 24 characteristics is 2 63 *20 = Since each characteristic has the same probability 2-62, so there are 2 63 *2-62 *24 = 48 right pairs satisfying any one characteristic. For each structure, there is (2 24 ) 2 /2 = 2 47 possible pairs, thus we have to consider total =2 87 pairs of plaintext. For each structure, each pair should have 10 non-active S-boxes in 16 th round satisfying each characteristic. After discarding wrong pairs, for each structure the number of candidates left for right pair is 2 47 *2-40 =2 7. Among 16 S-boxes in round 16, 10 S-boxes must be non-active. Among the remaining 6 S- boxes in round 16, we will consider 36 cases according to the output of the S-box in round 15. As input to round 15 S-box is 9, therefore the possible outputs from the S-box difference distribution table will be (2,2), (2,4), (2,6), (2,8), (2,C), (2,E), (4,2), (4,4), (4,6), (4,8), (4,C), (4,E), (6,2), (6,4), (6,6), (6,8), (6,C), (6,E), (8,2), (8,4), (8,6), (8,8), (8,C), (8,E), (C,2), (C,4), (C,6), (C,8), (C,C), (C,E), (E,2), (E,4), (E,6), (E,8), (E,C), (E,E). If an S-box is active, the input difference to this S-box should be 1 and output difference will be 3, 7, 9 or 13 and if S-box is non-active then input and output differences will be 0. Using this filter, discard any pair with a wrong output difference. So the expected number of remaining pairs for each structure is about: 2 7 *{9*(4/16) 2 (1/16) 4 +12*(4/16) 3 (1/16) 3 +10*(4/16) 4 (1/16) 2 +4*(4/16) 5 (1/16)+(4/16) 6 } = 2 7 * = For each structure, it is checked that whether the remaining pairs satisfy one of the 24 possible plaintext differences corresponding to 24 characteristic. Number of remaining pairs is a fraction of about 2-24 *20 = out of the 2 24 possible plaintext differences. So the expected number of remaining pairs in all 2 40 structures is 2 40 * * = We guess the 24 bits of round subkey K 17 and 6 bits of round subkey K 16 and decrypt the remaining ciphertext pairs from round 16 to round 14. There are at the most 4 pairs of occurrences for the given input difference and output difference, according to the difference distribution table of S-box for PRESENT. We denote number of active S-boxes in round 16 by t (2 t 6). We consider 5 cases according to the value of t as given in the table 3 below: 35
6 Table 3: Cases according to the number of active S-boxes t NCP TCS TCSRP *2-16 = * *4 4 *16 4 = *( )= * *4 5 *16 3 = *( )= * *4 6 *16 2 = *( )= * *4 7 *16 1 = *( )= * *4 8 *16 0 = where NCP = number of ciphertext pairs satisfying the condition of t active S-boxes TCS = the total counted subkey TCSRP = the total counted times of subkey for the remaining pairs The total counted times of subkey are about = Therefore, on an average wrong subkey will hit about /2 30 = 8.9 times, but still the right key can be identified because it is counted for the right pairs about 48 times. Therefore we can retrieve 30 subkey bits using at the most times encryptions of 2-round PRESENT and bit counters. We can find out 80 bit master key by exhaustively searching the remaining 50 bits of master key and the time complexity in this step will be round PRESENT encryptions. In modified attack, the signal to noise ratio [4] is S/N = (p*2 k ) / (α*β) = 2-62 *2 30 / ( * ) = 4.5 where p is the probability of the differential characteristics, k is the number of subkey bits involved in decryption from 16 th to 14 th round, α is the average count of keys that are suggested per analyzed pair after excluding the wrong pairs discarded before counting and β is the fraction of analyzed pair among all pairs. Success probability [4] for µ = p*n = 2-62 *2 63 *24 = 48 right pairs and k = 30 subkey bits involved in decryption from round 16 to round 14 is: P s = Thus we can obtain 30 subkey bits with the probability Time complexity is almost same as in [3], except the time complexity of round PRESENT encryptions in step 3 of the algorithm presented in [3]. 5. CONCLUSION In this paper, we have shown that proposed differential attack on 16 round PRESENT [2] cannot recover 32 subkey bits of 80 bit master key. We have also shown that one can recover at the most 30 subkey bits by the differential attack with the success probability of Lots of work has been done and is being done in [6], [7], [8], [9] on the basis of this differential attack given by Wang [3] assuming to recover 32 subkey bits of 16 round PRESENT, therefore the rectifications made out to come to the conclusion that the number of subkey bits recoverable by this attack is exactly 30 and not 32 as claimed earlier is very important for further research. 36
7 ACKNOLEDGEMENTS Authors are grateful to Dr. PK Saxena, Director SAG and Dr. SS Bedi, Associate Director SAG for their support and encouragement. We also thank Ms. Noopur Shrotriya for helping us in s/w implementation and Mr. Dhananjoy Dey for giving his valuable time in fruitful discussions. Authors are also thankful to anonymous reviewer for their fruitful comments and suggestions in improving the paper. REFERENCES [1] A Bogdanov, L Knudsen, G Leander, C Paar, A Poschmann, M Robshaw, Y Seurin and C Vikkelsoe; (2007) PRESENT: An Ultra-Lightweight Block Cipher, in the proceedings of CHES 2007, LNCS, vol. 4727, pp [2] Eli Biham and Adi Shamir; (1991) Differential Cryptanalysis of DES -like Cryptosystems, Journal of Cryptology, 1991, Vol. 4, No. 1, pp 3 72 [3] M Wang; (2008) Differential Cryptanalysis of Reduced -Round PRESENT, in the proceedings of AFRICACRYPT 2008, LNCS, vol. 5023, pp [4] M Kumar, P Yadav and M Kumari; (2010) Flaws in Differential Cryptanalysis of Re duced Round PRESENT, Cryptology e-print Archive Report 2010/407. Available at [5] AA Selcuk; (2008) On Probability of Success in Linear and Differential Cryptanalysis, Journal of Cryptology, 2008, Vol. 21, No.1, [6] Albrecht, M. and Cid, C. Algebraic Techniques in Differential Cryptanalysis, in the proceedings of Workshop on FSE 2008, LNCS, Vol. 5665, pp [7] C Blondeau and B Gerard; (2010) Links between Theoretical and Effective Differential Probabilities: Experiments on PRESENT, in Workshop on Tools for Cryptanalysis 2010 at [8] C Blondeau and B Gerard; (2011) Multiple Differential Cryptanalysis: theory and practice, in the proceedings of Workshop on Fast Software Encryption 2011, Available at [9] F Abazari and B Sadeghian; (2011) Cryptanalysis with Ternary Difference: Applied to Block Cipher PRESENT, in Cryptology e-print Archive Report 2011/22. Available at Authors Manoj Kumar received M.Sc. and M.Phil in Mathematics from CCS University, Meerut, India in year 2001 and 2004 respectively. He is currently pursuing Ph.D. in Cryptography from Department of Mathematics, University of Delhi, India. His main research areas are Design and Cryptanalysis of Block Ciphers. Pratibha Yadav received M.Sc. in Mathematics from University of Delhi, India in the year Her main research interests are fuzzy logic and cryptology. Meena Kumari received Ph.D. degree on Some Studies in Periodic Sequences over GF(2) from University of Delhi, India (1985). Her main research interests are design and analysis of crypto-algorithm. 37
Wenling Wu, Lei Zhang
LBlock: A Lightweight Block Cipher Wenling Wu, Lei Zhang Institute t of Software, Chinese Academy of Sciences 09-Jun-2011 Outline Background and Previous Works LBlock: Specification Design Rationale Security
More informationCryptanalysis of TWIS Block Cipher
Cryptanalysis of TWIS Block Cipher Onur Koçak and Neşe Öztop Institute of Applied Mathematics, Middle East Technical University, Turkey {onur.kocak,noztop}@metu.edu.tr Abstract. TWIS is a 128-bit lightweight
More informationA New Improved Key-Scheduling for Khudra
A New Improved Key-Scheduling for Khudra Secure Embedded Architecture Laboratory, Indian Institute of Technology, Kharagpur, India Rajat Sadhukhan, Souvik Kolay, Shashank Srivastava, Sikhar Patranabis,
More informationA Related-Key Attack on TREYFER
The Second International Conference on Emerging Security Information, Systems and Technologies A Related-ey Attack on TREYFER Aleksandar ircanski and Amr M Youssef Computer Security Laboratory Concordia
More informationTruncated Differential Analysis of Round-Reduced RoadRunneR Block Cipher
Truncated Differential Analysis of Round-Reduced RoadRunneR Block Cipher Qianqian Yang 1,2,3, Lei Hu 1,2,, Siwei Sun 1,2, Ling Song 1,2 1 State Key Laboratory of Information Security, Institute of Information
More informationin a 4 4 matrix of bytes. Every round except for the last consists of 4 transformations: 1. ByteSubstitution - a single non-linear transformation is a
Cryptanalysis of Reduced Variants of Rijndael Eli Biham Λ Nathan Keller y Abstract Rijndael was submitted to the AES selection process, and was later selected as one of the five finalists from which one
More informationLinear Cryptanalysis of Reduced Round Serpent
Linear Cryptanalysis of Reduced Round Serpent Eli Biham 1, Orr Dunkelman 1, and Nathan Keller 2 1 Computer Science Department, Technion Israel Institute of Technology, Haifa 32000, Israel, {biham,orrd}@cs.technion.ac.il,
More informationAn Improved Truncated Differential Cryptanalysis of KLEIN
An Improved Truncated Differential Cryptanalysis of KLEIN hahram Rasoolzadeh 1, Zahra Ahmadian 2, Mahmoud almasizadeh 3, and Mohammad Reza Aref 3 1 imula Research Laboratory, Bergen, Norway, 2 hahid Beheshti
More informationDifferential-Linear Cryptanalysis of Serpent
Differential-Linear Cryptanalysis of Serpent Eli Biham 1, Orr Dunkelman 1, and Nathan Keller 2 1 Computer Science Department, Technion, Haifa 32000, Israel {biham,orrd}@cs.technion.ac.il 2 Mathematics
More informationDesign and Implementation of New Lightweight Encryption Technique
From the SelectedWorks of Sakshi Sharma May, 2016 Design and Implementation of New Lightweight Encryption Technique M. Sangeetha Dr. M. Jagadeeswari This work is licensed under a Creative Commons CC_BY-NC
More informationA Chosen-Plaintext Linear Attack on DES
A Chosen-Plaintext Linear Attack on DES Lars R. Knudsen and John Erik Mathiassen Department of Informatics, University of Bergen, N-5020 Bergen, Norway {lars.knudsen,johnm}@ii.uib.no Abstract. In this
More informationInternational Journal for Research in Applied Science & Engineering Technology (IJRASET) Performance Comparison of Cryptanalysis Techniques over DES
Performance Comparison of Cryptanalysis Techniques over DES Anupam Kumar 1, Aman Kumar 2, Sahil Jain 3, P Kiranmai 4 1,2,3,4 Dept. of Computer Science, MAIT, GGSIP University, Delhi, INDIA Abstract--The
More informationCryptography for Resource Constrained Devices: A Survey
Cryptography for Resource Constrained Devices: A Survey Jacob John Dept. of Computer Engineering Sinhgad Institute of Technology Pune, India. jj31270@yahoo.co.in Abstract Specifically designed and developed
More informationPUFFIN: A Novel Compact Block Cipher Targeted to Embedded Digital Systems
PUFFIN: A Novel Compact Block Cipher Targeted to Embedded Digital Systems Huiju Cheng, Howard M. Heys, and Cheng Wang Electrical and Computer Engineering Memorial University of Newfoundland St. John's,
More informationImproved Multi-Dimensional Meet-in-the-Middle Cryptanalysis of KATAN
Improved Multi-Dimensional Meet-in-the-Middle Cryptanalysis of KATAN Shahram Rasoolzadeh and Håvard Raddum Simula Research Laboratory {shahram,haavardr}@simula.no Abstract. We study multidimensional meet-in-the-middle
More informationSmall-Footprint Block Cipher Design -How far can you go?
Small-Footprint Block Cipher Design - How far can you go? A. Bogdanov 1, L.R. Knudsen 2, G. Leander 1, C. Paar 1, A. Poschmann 1, M.J.B. Robshaw 3, Y. Seurin 3, C. Vikkelsoe 2 1 Ruhr-University Bochum,
More informationBlock Ciphers Tutorial. c Eli Biham - May 3, Block Ciphers Tutorial (5)
Block Ciphers Tutorial c Eli Biham - May 3, 2005 146 Block Ciphers Tutorial (5) A Known Plaintext Attack on 1-Round DES After removing the permutations IP and FP we get: L R 48 K=? F L R c Eli Biham -
More informationImproved Multi-Dimensional Meet-in-the-Middle Cryptanalysis of KATAN
Improved Multi-Dimensional Meet-in-the-Middle Cryptanalysis of KATAN Shahram Rasoolzadeh and Håvard Raddum Simula Research Laboratory Abstract. We study multidimensional meet-in-the-middle attacks on the
More informationLIGHTWEIGHT CRYPTOGRAPHY: A SURVEY
LIGHTWEIGHT CRYPTOGRAPHY: A SURVEY Shweta V. Pawar 1, T.R. Pattanshetti 2 1Student, Dept. of Computer engineering, College of Engineering Pune, Maharashtra, India 2 Professor, Dept. of Computer engineering,
More informationRelated-key Attacks on Triple-DES and DESX Variants
Related-key Attacks on Triple-DES and DESX Variants Raphael C.-W. han Department of Engineering, Swinburne Sarawak Institute of Technology, 1st Floor, State Complex, 93576 Kuching, Malaysia rphan@swinburne.edu.my
More informationTwo Attacks on Reduced IDEA (Extended Abstract)
1 Two Attacks on Reduced IDEA (Extended Abstract) Johan Borst 1, Lars R. Knudsen 2, Vincent Rijmen 2 1 T.U. Eindhoven, Discr. Math., P.O. Box 513, NL-5600 MB Eindhoven, borst@win.tue.nl 2 K.U. Leuven,
More informationElastic Block Ciphers: The Feistel Cipher Case
Elastic Block Ciphers: The Feistel Cipher Case Debra L. Cook Moti Yung Angelos D. Keromytis Department of Computer Science Columbia University, New York, NY dcook,moti,angelos @cs.columbia.edu Technical
More informationAlgebraic-Differential Cryptanalysis of DES
Algebraic-Differential Cryptanalysis of DES Jean-Charles FAUGÈRE, Ludovic PERRET, Pierre-Jean SPAENLEHAUER UPMC, Univ Paris 06, LIP6 INRIA, Centre Paris-Rocquencourt, SALSA Project CNRS, UMR 7606, LIP6
More informationFeW: A Lightweight Block Cipher
FeW: A Lightweight Block Cipher Manoj Kumar 1,, Saibal K. Pal 1 and Anupama Panigrahi 1 Scientific Analysis Group, DRDO, Delhi, INDIA Department of Mathematics, University of Delhi, INDIA mktalyan@yahoo.com
More informationImproved Linear Sieving Techniques with Applications to Step-Reduced LED-64
Improved Linear Sieving Techniques with Applications to Step-Reduced LED-64 Itai Dinur 1, Orr Dunkelman 2,4, Nathan eller 3 and Adi Shamir 4 1 École normale supérieure, France 2 University of Haifa, Israel
More informationPRESENT An Ultra-Lightweight Block Cipher
PRESENT An Ultra-Lightweight Block Cipher A. Bogdanov1, L. R. Knudsen3, G. Leander1, C. Paar1, A. Poschmann1, M. J. B. Robshaw2, Y. Seurin2, C. Vikkelsoe3 1 Ruhr-Universität Bochum 2 Technical University
More informationWeak Keys of the Full MISTY1 Block Cipher for Related-Key Cryptanalysis
3. 2 13.57 Weak eys for a Related-ey Differential Attack Weak eys of the Full MISTY1 Block Cipher for Related-ey Cryptanalysis Institute for Infocomm Research, Agency for Science, Technology and Research,
More informationPlaintext (P) + F. Ciphertext (T)
Applying Dierential Cryptanalysis to DES Reduced to 5 Rounds Terence Tay 18 October 1997 Abstract Dierential cryptanalysis is a powerful attack developed by Eli Biham and Adi Shamir. It has been successfully
More informationImproved Impossible Differential Attacks against Round-Reduced LBlock
Improved Impossible Differential Attacks against Round-Reduced LBlock Christina Boura, Marine Minier, María Naya-Plasencia, Valentin Suder To cite this version: Christina Boura, Marine Minier, María Naya-Plasencia,
More informationFundamentals of Cryptography
Fundamentals of Cryptography Topics in Quantum-Safe Cryptography June 23, 2016 Part III Data Encryption Standard The Feistel network design m m 0 m 1 f k 1 1 m m 1 2 f k 2 2 DES uses a Feistel network
More informationAlgebraic Techniques in Differential Cryptanalysis
Algebraic Techniques in Differential Cryptanalysis Martin Albrecht and Carlos Cid Information Security Group, Royal Holloway, University of London Egham, Surrey TW20 0EX, United Kingdom {M.R.Albrecht,carlos.cid}@rhul.ac.uk
More informationAttack on DES. Jing Li
Attack on DES Jing Li Major cryptanalytic attacks against DES 1976: For a very small class of weak keys, DES can be broken with complexity 1 1977: Exhaustive search will become possible within 20 years,
More informationDierential-Linear Cryptanalysis of Serpent? Haifa 32000, Israel. Haifa 32000, Israel
Dierential-Linear Cryptanalysis of Serpent Eli Biham, 1 Orr Dunkelman, 1 Nathan Keller 2 1 Computer Science Department, Technion. Haifa 32000, Israel fbiham,orrdg@cs.technion.ac.il 2 Mathematics Department,
More informationThe signal to noise ratio in the differential cryptanalysis of 9 rounds of data encryption standard
The signal to noise ratio in the differential cryptanalysis of 9 rounds of data encryption standard Regular paper Michał Misztal Abstract There is presented the differential cryptanalysis method of attack
More informationRecent Meet-in-the-Middle Attacks on Block Ciphers
ASK 2012 Nagoya, Japan Recent Meet-in-the-Middle Attacks on Block Ciphers Takanori Isobe Sony Corporation (Joint work with Kyoji Shibutani) Outline 1. Meet-in-the-Middle (MitM) attacks on Block ciphers
More informationElastic Block Ciphers: The Feistel Cipher Case
Elastic Block Ciphers: The Feistel Cipher Case Debra L. Cook Moti Yung Angelos D. Keromytis Department of Computer Science Columbia University, New York, NY dcook,moti,angelos @cs.columbia.edu Technical
More informationFault-propagation Pattern Based DFA on SPN Structure Block Ciphers using Bitwise Permutation, with Application to PRESENT and PRINTcipher
Fault-propagation Pattern Based DFA on SPN Structure Block Ciphers using Bitwise Permutation, with Application to PRESENT and PRINTcipher XinJie Zhao 1, Tao Wang 1, ShiZe Guo 2,3 1 (Department of Computer
More informationPiret and Quisquater s DFA on AES Revisited
Piret and Quisquater s DFA on AES Revisited Christophe Giraud 1 and Adrian Thillard 1,2 1 Oberthur Technologies, 4, allée du doyen Georges Brus, 33 600 Pessac, France. c.giraud@oberthur.com 2 Université
More informationDifferential Cryptanalysis
Differential Cryptanalysis See: Biham and Shamir, Differential Cryptanalysis of the Data Encryption Standard, Springer Verlag, 1993. c Eli Biham - March, 28 th, 2012 1 Differential Cryptanalysis The Data
More informationEnhanced Cryptanalysis of Substitution Cipher Chaining mode (SCC-128)
Enhanced Cryptanalysis of Substitution Cipher Chaining mode (SCC-128) Mohamed Abo El-Fotouh and Klaus Diepold Institute for Data Processing (LDV) Technische Universität München (TUM) 80333 Munich Germany
More informationMulti-Stage Fault Attacks
Multi-Stage Fault Attacks Applications to the Block Cipher PRINCE Philipp Jovanovic Department of Informatics and Mathematics University of Passau March 27, 2013 Outline 1. Motivation 2. The PRINCE Block
More informationThe Rectangle Attack
The Rectangle Attack and Other Techniques for Cryptanalysis of Block Ciphers Orr Dunkelman Computer Science Dept. Technion joint work with Eli Biham and Nathan Keller Topics Block Ciphers Cryptanalysis
More informationLinear Cryptanalysis of FEAL 8X Winning the FEAL 25 Years Challenge
Linear Cryptanalysis of FEAL 8X Winning the FEAL 25 Years Challenge Yaniv Carmeli Joint work with Prof. Eli Biham CRYPTODAY 2014 FEAL FEAL Published in 1987, designed by Miyaguchi and Shimizu (NTT). 64-bit
More informationA Related Key Attack on the Feistel Type Block Ciphers
International Journal of Network Security, Vol.8, No.3, PP.221 226, May 2009 221 A Related Key Attack on the Feistel Type Block Ciphers Ali Bagherzandi 1,2, Mahmoud Salmasizadeh 2, and Javad Mohajeri 2
More informationPractical Key Recovery Attack on MANTIS 5
ractical Key Recovery Attack on ANTI Christoph Dobraunig, aria Eichlseder, Daniel Kales, and Florian endel Graz University of Technology, Austria maria.eichlseder@iaik.tugraz.at Abstract. ANTI is a lightweight
More informationA Meet in the Middle Attack on Reduced Round Kuznyechik
IEICE TRANS. FUNDAMENTALS, VOL.Exx??, NO.xx XXXX 200x 1 LETTER Special Section on Cryptography and Information Security A Meet in the Middle Attack on Reduced Round Kuznyechik Riham ALTAWY a), Member and
More informationOn the Security of the 128-Bit Block Cipher DEAL
On the Security of the 128-Bit Block Cipher DAL Stefan Lucks Theoretische Informatik University of Mannheim, 68131 Mannheim A5, Germany lucks@th.informatik.uni-mannheim.de Abstract. DAL is a DS-based block
More informationImproved Attack on Full-round Grain-128
Improved Attack on Full-round Grain-128 Ximing Fu 1, and Xiaoyun Wang 1,2,3,4, and Jiazhe Chen 5, and Marc Stevens 6, and Xiaoyang Dong 2 1 Department of Computer Science and Technology, Tsinghua University,
More informationImproved Truncated Differential Attacks on SAFER
Improved Truncated Differential Attacks on SAFER Hongjun Wu * Feng Bao ** Robert H. Deng ** Qin-Zhong Ye * * Department of Electrical Engineering National University of Singapore Singapore 960 ** Information
More informationIntegral Cryptanalysis of the BSPN Block Cipher
Integral Cryptanalysis of the BSPN Block Cipher Howard Heys Department of Electrical and Computer Engineering Memorial University hheys@mun.ca Abstract In this paper, we investigate the application of
More informationSide channel attack: Power Analysis. Chujiao Ma, Z. Jerry Shi CSE, University of Connecticut
Side channel attack: Power Analysis Chujiao Ma, Z. Jerry Shi CSE, University of Connecticut Conventional Cryptanalysis Conventional cryptanalysis considers crypto systems as mathematical objects Assumptions:
More informationSymmetric Cryptography. Chapter 6
Symmetric Cryptography Chapter 6 Block vs Stream Ciphers Block ciphers process messages into blocks, each of which is then en/decrypted Like a substitution on very big characters 64-bits or more Stream
More informationEncryption / decryption system. Fig.1. Block diagram of Hummingbird
801 Lightweight VLSI Design of Hybrid Hummingbird Cryptographic Algorithm NIKITA ARORA 1, YOGITA GIGRAS 2 12 Department of Computer Science, ITM University, Gurgaon, INDIA 1 nikita.0012@gmail.com, 2 gigras.yogita@gmail.com
More informationCryptanalysis. Andreas Klappenecker Texas A&M University
Cryptanalysis Andreas Klappenecker Texas A&M University How secure is a cipher? Typically, we don t know until it is too late Typical Attacks against Encryption Algorithms Ciphertext only attack: The attacker
More informationBlow-CAST-Fish: A New 64-bit Block Cipher
282 Blow-CAST-Fish: A New 64-bit Block Cipher Krishnamurthy G.N, Dr. V. Ramaswamy, Leela G.H and Ashalatha M.E Bapuji Institute of Engineering and Technology, Davangere-577004, Karnataka, India Summary:
More informationArea Optimization in Masked Advanced Encryption Standard
IOSR Journal of Engineering (IOSRJEN) ISSN (e): 2250-3021, ISSN (p): 2278-8719 Vol. 04, Issue 06 (June. 2014), V1 PP 25-29 www.iosrjen.org Area Optimization in Masked Advanced Encryption Standard R.Vijayabhasker,
More informationAnalysis of the Use of Whirlpool s S-box, S1 and S2 SEED s S- box in AES Algorithm with SAC Test Novita Angraini, Bety Hayat Susanti, Magfirawaty
Information Systems International Conference (ISICO), 2 4 December 2013 Analysis of the Use of Whirlpool s S-box, S1 and S2 SEED s S- box in AES Algorithm with SAC Test Novita Angraini, Bety Hayat Susanti,
More informationA SIMPLIFIED IDEA ALGORITHM
A SIMPLIFIED IDEA ALGORITHM NICK HOFFMAN Abstract. In this paper, a simplified version of the International Data Encryption Algorithm (IDEA) is described. This simplified version, like simplified versions
More informationBiclique Attack of the Full ARIA-256
Biclique Attack of the Full ARIA-256 Shao-zhen Chen Tian-min Xu Zhengzhou Information Science and Technology Institute Zhengzhou 450002, China January 8, 202 Abstract In this paper, combining the biclique
More informationNew Cryptanalytic Results on IDEA
New Cryptanalytic Results on IDEA Eli Biham, Orr Dunkelman, Nathan Keller Computer Science Dept., Technion Dept. of Electrical Engineering ESAT SCD/COSIC, KUL Einstein Institute of Mathematics, Hebrew
More informationA New Meet-in-the-Middle Attack on the IDEA Block Cipher
A New Meet-in-the-Middle Attack on the IDEA Block Cipher Hüseyin Demirci 1, Ali Aydın Selçuk, and Erkan Türe 3 1 Tübitak UEKAE, 41470 Gebze, Kocaeli, Turkey huseyind@uekae.tubitak.gov.tr Department of
More informationLightweight Crypto Design Principles - Approaches and Limitations
Lightweight Crypto Design Principles - Approaches and Limitations Axel Poschmann Division of Mathematical Sciences School of Physical and Mathematical Sciences August 31, 2011 Agenda Motivation Background
More informationNew Cryptanalytic Results on IDEA
New Cryptanalytic Results on IDEA Eli Biham, Orr Dunkelman, Nathan Keller Computer Science Dept., Technion Dept. of Electrical Engineering ESAT SCD/COSIC, KUL Einstein Institute of Mathematics, Hebrew
More informationA Methodology for Differential-Linear Cryptanalysis and Its Applications
A Methodology for Differential-Linear Cryptanalysis and Its Applications Jiqiang Lu Presenter: Jian Guo Institute for Infocomm Research, Agency for Science, Technology and Research, 1 Fusionopolis Way,
More informationA 3-Subset Meet-in-the-Middle Attack: Cryptanalysis of the Lightweight Block Cipher KTANTAN
A 3-Subset Meet-in-the-Middle Attack: Cryptanalysis of the Lightweight Block Cipher KTANTAN Andrey Bogdanov and Christian Rechberger Katholieke Universiteit Leuven, ESAT/COSIC and IBBT, Belgium {andrey.bogdanov,christian.rechberber}@esat.kuleuven.be
More informationCryptanalysis of PRESENT-like Ciphers with Secret S-boxes
Cryptanalysis of PRESENT-like Ciphers with Secret S-boxes Julia Borghoff, Lars R. Knudsen, Gregor Leander, Søren S. Thomsen Department of Mathematics, Technical University of Denmark Abstract. At Eurocrypt
More informationBlind Differential Cryptanalysis for Enhanced Power Attacks
Blind Differential Cryptanalysis for Enhanced Power Attacks Bart Preneel COSIC K.U.Leuven - Belgium bart.preneel(at)esat.kuleuven.be Joint work with Helena Handschuh Concept Differential cryptanalysis
More informationCryptography and Network Security Block Ciphers + DES. Lectured by Nguyễn Đức Thái
Cryptography and Network Security Block Ciphers + DES Lectured by Nguyễn Đức Thái Outline Block Cipher Principles Feistel Ciphers The Data Encryption Standard (DES) (Contents can be found in Chapter 3,
More informationA Differential Fault Attack against Early Rounds of (Triple-)DES
A Differential Fault Attack against Early Rounds of (Triple-)DES Ludger Hemme Giesecke & Devrient GmbH Prinzregentenstr. 159, 81677 Munich, Germany ludger.hemme@de.gi-de.com Abstract. Previously proposed
More informationCryptography and Network Security Chapter 3. Modern Block Ciphers. Block vs Stream Ciphers. Block Cipher Principles
Cryptography and Network Security Chapter 3 Fifth Edition by William Stallings Lecture slides by Lawrie Brown Chapter 3 Block Ciphers and the Data Encryption Standard All the afternoon Mungo had been working
More informationCSCE 813 Internet Security Symmetric Cryptography
CSCE 813 Internet Security Symmetric Cryptography Professor Lisa Luo Fall 2017 Previous Class Essential Internet Security Requirements Confidentiality Integrity Authenticity Availability Accountability
More informationMeet-in-the-Middle Attack on 8 Rounds of the AES Block Cipher under 192 Key Bits
Meet-in-the-Middle Attack on 8 Rounds of the AES Block Cipher under 192 Key Bits Yongzhuang Wei 1,3,, Jiqiang Lu 2,, and Yupu Hu 3 1 Guilin University of Electronic Technology, Guilin City, Guangxi Province
More informationOn the Design of Secure Block Ciphers
On the Design of Secure Block Ciphers Howard M. Heys and Stafford E. Tavares Department of Electrical and Computer Engineering Queen s University Kingston, Ontario K7L 3N6 email: tavares@ee.queensu.ca
More informationc Eli Biham - March 13, Cryptanalysis of Modes of Operation (4) c Eli Biham - March 13, Cryptanalysis of Modes of Operation (4)
Single Modes: the S Modes of Operation Modes of Operation are used to hide patterns in the plaintexts, protect against chosen plaintext attacks, and to support fast on-line encryption with precomputation.
More informationFew Other Cryptanalytic Techniques
Few Other Cryptanalytic Techniques Debdeep Mukhopadhyay Assistant Professor Department of Computer Science and Engineering Indian Institute of Technology Kharagpur INDIA -721302 Objectives Boomerang Attack
More informationAlgebraicDierential Cryptanalysis of DES
AlgebraicDierential Cryptanalysis of DES JeanCharles Faugère Ludovic Perret PierreJean Spaenlehauer UPMC LIP6 CNRS INRIA Paris - Rocquencourt SALSA team Journées C2 1/33 PJ Spaenlehauer Plan Introduction
More informationImproving Impossible Differential Cr with Concrete Investigation of Key S Algorithm and Its Application to Lbl
JAIST Reposi https://dspace.j Title Improving Impossible Differential Cr with Concrete Investigation of Key S Algorithm and Its Application to Lbl Chen, Jiageng; Futa, Yuichi; Miyaji, Author(s) Chunhua
More informationThis document is downloaded from DR-NTU, Nanyang Technological University Library, Singapore.
This document is downloaded from DR-NTU, Nanyang Technological University Library, Singapore. Title Improved Meet-in-the-Middle cryptanalysis of KTANTAN (poster) Author(s) Citation Wei, Lei; Rechberger,
More informationI-PRESENT TM : An Involutive Lightweight Block Cipher
Journal of Information Security, 2014, 5, 114-122 Published Online July 2014 in SciRes. http://www.scirp.org/journal/jis http://dx.doi.org/10.4236/jis.2014.53011 I-PRESENT TM : An Involutive Lightweight
More informationSyrvey on block ciphers
Syrvey on block ciphers Anna Rimoldi Department of Mathematics - University of Trento BunnyTn 2012 A. Rimoldi (Univ. Trento) Survey on block ciphers 12 March 2012 1 / 21 Symmetric Key Cryptosystem M-Source
More informationStream Ciphers and Block Ciphers
Stream Ciphers and Block Ciphers 2MMC10 Cryptology Fall 2015 Ruben Niederhagen October 6th, 2015 Introduction 2/32 Recall: Public-key crypto: Pair of keys: public key for encryption, private key for decryption.
More informationImproved Meet-in-the-Middle Attacks on AES-192 and PRINCE
Improved Meet-in-the-Middle Attacks on AES-92 and PRINCE Leibo Li,2, Keting Jia 2 and Xiaoyun Wang,2,3 Key Laboratory of Cryptologic Technology and Information Security, Ministry of Education, Shandong
More informationCryptanalysis of Block Ciphers: A Survey
UCL Crypto Group Technical Report Series Cryptanalysis of Block Ciphers: A Survey Francois-Xavier Standaert, Gilles Piret, Jean-Jacques Quisquater REGARDS GROUPE http://www.dice.ucl.ac.be/crypto/ Technical
More informationImproved differential fault analysis on lightweight block cipher LBlock for wireless sensor networks
Jeong et al. EURASIP Journal on Wireless Communications and Networking 2013, 2013:151 RESEARCH Improved differential fault analysis on lightweight block cipher LBlock for wireless sensor networks Kitae
More informationLecture 3: Symmetric Key Encryption
Lecture 3: Symmetric Key Encryption CS996: Modern Cryptography Spring 2007 Nitesh Saxena Outline Symmetric Key Encryption Continued Discussion of Potential Project Topics Project proposal due 02/22/07
More informationLecture 4: Symmetric Key Encryption
Lecture 4: Symmetric ey Encryption CS6903: Modern Cryptography Spring 2009 Nitesh Saxena Let s use the board, please take notes 2/20/2009 Lecture 1 - Introduction 2 Data Encryption Standard Encrypts by
More informationEfficient Implementation of Grand Cru with TI C6x+ Processor
Efficient Implementation of Grand Cru with TI C6x+ Processor Azhar Ali Khan 1, Ghulam Murtaza 2 1 Sichuan University, Chengdu, China 2 National University of Sciences and Technology, Islamabad, Pakistan
More informationA New Attack with Side Channel Leakage during Exponent Recoding Computations
A New Attack with Side Channel Leakage during Exponent Recoding Computations Yasuyuki Sakai 1 and Kouichi Sakurai 2 1 Mitsubishi Electric Corporation, 5-1-1 Ofuna, Kamakura, Kanagawa 247-8501, Japan ysakai@iss.isl.melco.co.jp
More informationCryptanalysis of the Speck Family of Block Ciphers
Cryptanalysis of the Speck Family of Block Ciphers Farzaneh Abed, Eik List, Stefan Lucks, and Jakob Wenzel Bauhaus-Universität Weimar, Germany {farzaneh.abed, eik.list, stefan.lucks, jakob.wenzel}@uni-weimar.de
More informationKey Recovery Attacks of Practical Complexity on AES-256 Variants With Up To 10 Rounds
Key Recovery Attacks of Practical Complexity on AES-256 Variants With Up To 10 Rounds Alex Biryukov 1, Orr Dunkelman 2,4, Nathan Keller 3,4, Dmitry Khovratovich 1, and Adi Shamir 4 1 University of Luxembourg,
More informationGeneralized MitM Attacks on Full TWINE
Generalized MitM Attacks on Full TWINE Mohamed Tolba, Amr M. Youssef Concordia Institute for Information Systems Engineering, Concordia University, Montréal, Québec, Canada. Abstract TWINE is a lightweight
More informationChapter 6: Contemporary Symmetric Ciphers
CPE 542: CRYPTOGRAPHY & NETWORK SECURITY Chapter 6: Contemporary Symmetric Ciphers Dr. Lo ai Tawalbeh Computer Engineering Department Jordan University of Science and Technology Jordan Why Triple-DES?
More informationA New Attack on the LEX Stream Cipher
A New Attack on the LEX Stream Cipher Orr Dunkelman, and Nathan Keller, École Normale Supérieure Département d Informatique, CNRS, INRIA 5 rue d Ulm, 50 Paris, France. orr.dunkelman@ens.fr Einstein Institute
More informationA Meet-in-the-Middle Attack on 8-Round AES
A Meet-in-the-Middle Attack on 8-Round AES Hüseyin Demirci 1 and Ali Aydın Selçuk 2 1 Tübitak UEKAE, 41470 Gebze, Kocaeli, Turkey huseyind@uekae.tubitak.gov.tr 2 Department of Computer Engineering Bilkent
More informationENGI 8868/9877 Computer and Communications Security III. BLOCK CIPHERS. Symmetric Key Cryptography. insecure channel
(a) Introduction - recall symmetric key cipher: III. BLOCK CIPHERS k Symmetric Key Cryptography k x e k y yʹ d k xʹ insecure channel Symmetric Key Ciphers same key used for encryption and decryption two
More informationHill Cipher with Parallel Processing Involving Column, Row Shuffling, Permutation and Iteration on Plaintext and Key
International Journal of Computer Networks and Security, ISSN:25-6878, Vol.23, Issue.2 7 Hill Cipher with Parallel Processing Involving Column, Row Shuffling, Permutation and Iteration on Plaintext and
More informationA General Analysis of the Security of Elastic Block Ciphers
A General Analysis of the Security of Elastic Block Ciphers Debra L. Cook and Moti Yung and Angelos Keromytis Department of Computer Science, Columbia University {dcook,moti,angelos}@cs.columbia.edu September
More informationDifferential Sieving for 2-Step Matching Meet-in-the-Middle Attack with Application to LBlock
Differential Sieving for 2-Step Matching Meet-in-the-Middle Attack with Application to LBlock Riham AlTawy and Amr M. Youssef (B) Concordia Institute for Information Systems Engineering, Concordia University,
More informationNetwork Security. Lecture# 6 Lecture Slides Prepared by: Syed Irfan Ullah N.W.F.P. Agricultural University Peshawar
Network Security Lecture# 6 Lecture Slides Prepared by: Syed Irfan Ullah N.W.F.P. Agricultural University Peshawar Modern Block Ciphers now look at modern block ciphers one of the most widely used types
More informationJournal of Discrete Mathematical Sciences & Cryptography Vol. ( ), No., pp. 1 10
Randomizing encryption mode Yi-Shiung Yeh 1, I-Te Chen 1, Chan-Chi Wang 2, 1 Department of Computer Science and Information Engineering National Chiao-Tung University 1001 Ta Hsueh Road Hsinchu 30050 Taiwan
More information